> On Wed, Apr 24, 2019 at 09:21:08PM -0000, David Fournier wrote: > > Hi, > > I'm sorry there is no such switch or options. Currently SSSD explicitly > uses a short name (without the '@...' part) because typically other PAM > modules are confused by this type of name. > > Feel free to open a RFE on https://pagure.io/SSSD/sssd/ to add an optino > to use the unmodified name from the login prompt here. > > If you are interested in trying it on your own have a look at > src/providers/proxy/proxy_child.c: > > 212 ret = sss_parse_internal_fqname(auth_data, pd->user, &shortname, > NULL); > 213 if (ret != EOK) { > 214 goto fail; > 215 } > 216 > 217 ret = pam_start(pam_target, shortname, &conv, &pamh); > 218 if (ret == PAM_SUCCESS) { > > If you replace 'shortname' in line 217 with 'pd->user' it might > already > work. Even better would be 'pd->logon_name' because this contains the > unmodified name given at the login prompt. But here you have to add this > member to the PAM data send and received in > src/sss_iface/sss_iface_types.c which is a bit more complicated. > > bye, > Sumit >
Thank you very much Sumit, I'll open an RFE and will definitely try the modification you suggest. I'll report the results once it's done. For now I'm using a workaround where we created a PAM module that appends the domain name to the user, which we insert at the top of our proxy_pam_target file. The downside is that we need a different proxy_pam_target configuration for every domain. A switch within sssd configuration file would be nicer. Thanks again for your precise answer! _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
